macos: codesign for new macos security limitation

Before this change: 1. CALM itself will be shown as a damaged application, the user has to de-quarantine it with command line: xattr -d com.apple.quarantine /Applications/Calm.app 2. CALM made applications, will also be shown as damaged, the user also has to de-quarantine them. After this change: 1. CALM itself still be shown as a damaged application. 2. CALM made applications, will shown as: "cannot be opened because the developer cannot be verified." which is better, since the user could open it with right click.
VitoVan · Aug 8, 2024 · 8fbedd0 · 8fbedd0
1 parent fac5308
commit 8fbedd0
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/build/build.sh b/build/build.sh
@@ -45,6 +45,8 @@ build_darwin () {
     echo "build launcher ..."
     brew install gcc
     gcc src/calm.c -o calm
+    # codesign for macos-14 enhanced security
+    codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime calm
 
     echo "remove Windows fonts dir ..."
     sed '/<dir>C:\\Windows\\Fonts<\/dir>/d' s/usr/all/fonts.conf > tmp-fonts.conf

diff --git a/s/dev/darwin/config-lib.sh b/s/dev/darwin/config-lib.sh
@@ -65,5 +65,6 @@ ls -lah .
 # copy all typelibs
 cp -L -R $(brew --prefix)/lib/girepository-1.0/*.typelib ./
 
-# codesign for macos-14, since we changed those libs
+# codesign for macos-14 enhanced security
 ls *.dylib | xargs -I _ codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime _
+ls *.typelib | xargs -I _ sudo codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime _
diff --git a/s/usr/macos/bundle.lisp b/s/usr/macos/bundle.lisp
@@ -13,7 +13,8 @@
          (dist-dir-abs (or (uiop:absolute-pathname-p dist-dir)
                            (uiop:merge-pathnames* dist-dir *calm-env-app-dir*)))
          (app-icon-abs (or (uiop:absolute-pathname-p app-icon)
-                           (uiop:merge-pathnames* app-icon *calm-env-app-dir*))))
+                           (uiop:merge-pathnames* app-icon *calm-env-app-dir*)))
+         (codesign-cmd "codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime "))
 
     ;; clean old bunlde
     (uiop:delete-directory-tree app-dir :validate t :if-does-not-exist :ignore)
@@ -38,7 +39,17 @@
      dist-dir-abs
      app-macos-dir)
     ;; copy icon
-    (u:copy-file app-icon-abs (merge-pathnames "icon.icns" app-resources-dir)))
+    (u:copy-file app-icon-abs (merge-pathnames "icon.icns" app-resources-dir))
+
+    (u:calm-log "signing everything... (some files need sudo permission)")
+    (u:exec (str:concat "find " app-name ".app/Contents/MacOS/ -type f | xargs -I _ sudo " codesign-cmd " _")
+            :ignore-error-status t)
+    (u:calm-log "signing calm launcher...")
+    (u:exec (str:concat "sudo " codesign-cmd app-name ".app/Contents/MacOS/calm")
+            :ignore-error-status t)
+    (u:calm-log "signing the application bundle itself...")
+    (u:exec (str:concat "sudo " codesign-cmd app-name ".app")
+            :ignore-error-status t))
 
   (u:calm-log-fancy "~%Application Bundle created: ~A.app~%" app-name))